OAuth Implementation for ASP.NET Web API using Microsoft Owin.

OAuth is an open standard for token based authentication and
authorization on internet. In simple terms OAuth provides a way for
applications to gain credentials to other application without directly
using user names and passwords in every requests. This is to reduces the
chances of user name and passwords getting compromised in the wire and
improve the security.

This post explains how to implement the OAuth token based authentication
mechanism to your Web API methods.

Let’s take an example where several third party connected apps try to
connect to a web api with the given client id and client secret. Imagine
the scenario where all the connected apps will have background processes
to get and post data through the web api and there are no users
involved. So in this case it uses client id and client secret to
generate a token. The following diagram explains the process.

Now as you have an understanding of what the business requirement is
Let’s look into the code how we can implement the token based
authentication to the web api solution.

In the above code Token end point refers to the relative path of your
web api which needs to be called to generate the token. In this case it
is “oauth/token”

Provider is the custom class that we write with the authentication and
token generation logic.

Access Token Expire Time Span refers to the duration we want to keep the
token alive. We can define this in the web config file and refer it from
there. In the above code General class property reads the web config
value.

Allow Insecure Http refers whether we want to restrict the web api to be
accessed through secured layer or not.

Then from the main start up class we can call the above ConfigureAuth
method as follows.

Next, we will see how to implement the OAuthProvider Class. Basically in
that class we can override the methods so that we can define the way we
want to generate the token.

The following class implementation represents how to implement the token
generation using client id and client secret. (Apart from this we can
override the GrantResourceOwnerCredentials() in case we want to use
username,password combination for generating the password).

First we need to override the ValidateClientAuthentication method. From
this we extract the client id and client secret in the request.

Next we will override GrantClientCredentials method inside the same
class. Here we validate the client id and client secret with the DB and
create the token. For the token we can add claims as we want. In this
case we add the client id only. This claims will be accessible via the
context object in the subsequent requests.

publicoverrideTaskGrantClientCredentials(OAuthGrantClientCredentialsContextcontext){returnTask.Factory.StartNew(()=>{try{boolisValid=false;isValid=true;//This should be the Service/DB call to validate the client id, client secret.//ValidateApp(context.ClientId, clientSecret);if(isValid){varoAuthIdentity=newClaimsIdentity(context.Options.AuthenticationType);oAuthIdentity.AddClaim(newClaim("ClientID",context.ClientId));varticket=newAuthenticationTicket(oAuthIdentity,newAuthenticationProperties());context.Validated(ticket);}else{context.SetError("Error",tuple.Item2);logger.Error(string.Format("GrantResourceOwnerCredentials(){0}Credentials not valid for ClientID : {1}.",Environment.NewLine,context.ClientId));}}catch(Exception){context.SetError("Error","internal server error");logger.Error(string.Format("GrantResourceOwnerCredentials(){0}Returned tuple is null for ClientID : {1}.",Environment.NewLine,context.ClientId));}});}

Then, we will look at how to authorize the controller actions using this
token. It is simple, all you need to do it decorate the action with the
[Authorize] tag. This will check token validity before its executes
the action method. Following is an example. Create a controller called
“PropertyController” and inside that you can define an action as below.

publicclassPropertyController:ApiController{[Authorize][HttpGet]publicIHttpActionResultGetProperty(intpropertyID){intclientID=OwinContextExtensions.GetClientID();try{//var result = Service or DB Call(clientID, propertyID)returnJson(new{PropertyName=string.Format("Property - {0}",propertyID),Success=true});}catch(Exceptionex){returnContent(HttpStatusCode.InternalServerError,ex.Message);}}}

Here you can extract the claims that you have added to the token. In our
example it was only the client id. You can write a separate class for
these types of extractions. Following shows that extension class.

That’s pretty much it. Now we can test the web api using postman as
shown below.

We need to enter the correct url. It should be the
“websiteurl/oauth/token”. The relative path should matched with the
token end point that we have configured in the oauth options. Once the
client id and secret is validated access token is generated as above.

We can use this token in order to call other api methods which we have
decorated with [authorize] attribute. In our example we are going to
call the GetProperty action in our Property controller using that token.
The way to call your action using postman is shown below.

You need to use Authorization tag and as the value (Bearer “token”).
This is the token generated in the previous step.

There you go. You have the response. Simple as that. You can write your
own controllers and actions and build a complete web api from here
onwards.

In my next post I will share how we can integrate swagger and directly
call our web api using that without using postman.